The Agent Skills Directory

[PROMPT_INJECTION]: The skill exhibits an indirect prompt injection attack surface (Category 8). * Ingestion points: Untrusted data enters the agent context through raw user queries, codebase search results via lev get, and external bug reports in the debug workflow. * Boundary markers: The skill uses disk-based artifact passing to isolate agent outputs (preventing 'groupthink'), but it lacks explicit delimiters or instructions to ignore embedded commands within the processed inputs. * Capability inventory: The skill possesses the capability to write files to the local disk (within tmp/ and project paths), read project metadata from ~/.lev/pm/, and execute local subprocesses such as lev cdo and vendor-provided node scripts. * Sanitization: No explicit sanitization, validation, or escaping of ingested data is documented before it is used to drive workflow logic or code modifications.
[COMMAND_EXECUTION]: The skill frequently invokes shell commands via lev and node to execute workflows, search the codebase, and manage task metadata. Specifically, it executes a local vendor script located at ~/lev/workshop/poc/lookup/cli.js to handle skill discovery.

lev-cdo